Re: Reporting brute force ssh login attempts
On Wednesday 15 November 2006 18:51, Shri Shrikumar wrote:
> Hi All,
>
> I have a few servers on which there is a regular penetration attempts
> using brute force password guessing bots.
>
> There is little risk to the server but am getting more and more annoyed
> by this and as far as I can see am left with two options.
>
> 1. Report each ip address that does this. However, a lot of them seems
> to be from asia with no proper abuse@ address to contact. Additionally,
> this can be very time consuming.
>
> 2. Change the port number that ssh uses to something else. This has the
> annoyance that I need to pass the new port number in each time I want to
> log-in.
>
> 3. Ignore the issue. Very annoying since logwatch and logcheck
> constantly complain about it. However, I can add filters so it annoys me
> less.
>
> Is there a another option? Alternatively, is there a way of
> automatically reporting offending ip's?
>
> Any input in this matter greatly appreciated.
>
> Best Wishes,
>
>
> Shri
Hello Shri,
A handy tool I use to cut down on ssh brute force attacks is fail2ban : You
can install it from backports.org.
Add the backport url to your sources.list
http://www.backports.org/dokuwiki/doku.php?id=instructions
Then after you have installed fail2ban comment out www.backports.org url in
your apt sources.list so that you will not bring in any unwanted packages in
the future.
http://fail2ban.sourceforge.net/wiki/index.php/README
http://www.ducea.com/2006/07/03/using-fail2ban-to-block-brute-force-attacks/
http://www.debianhelp.co.uk/fail2ban.htm
regards
peter colton
Reply to: